I'm about to go online with my first web site, it is a small project hosted on a regular home PC running Windows 7. I want to keep the software footprint at minimum, so it only contains the operating system and the web server with the website files, no antivirus, no SQL, no nothing. And except for the network cable it is completely isolated from the outside world, no cd/dvd, no keybord, no mouse, no monitor. The Windows firewall is setup to only allow incoming traffic on port 80, all outgoing traffic is blocked.

I am not a network security expert, so please correct me if I'm wrong: I think with this setup, the only possible way to have access the files and folders on that computer is through the web server via port 80, which means: if the web server allows no unauthorized access I can then trust my files will remain private. If I'm wrong, please explain why and how to solve it, again with a minimal software footprint.

Right now my main concern is privacy, so I may ignore advice on other security issues.

EDIT:

I know my web server software will be the target of most attacks, but it is not the main gate which worries me, I know in advance all sorts of people will try to pass through it, so I can be prepared and setup a whole army of police officers right there, what worries me are the possible back doors that may exist without me knowing... so my question is in the sense of how to make the OS fully and completely isolated from the outside world, in such a way that the only possible access point is through my web server listening port 80.

3 Answers
3

It isn't a game of magic ports used by hackers. If there isn't a service running on the port, it's unlikely in the extreme to result in a compromise, but it's nonetheless a good idea to use a strong firewall, especially on windows where lots and lots of services are running by default.

That said, if someone is going to compromise your web server, they will do so using the software you are letting them access (both your http daemon and any CGI applications you're using). So, the answer is no.

You haven't given a lot of detail about what this project is, but if it's a CGI application of some kind, the most important thing you can do is code it carefully to avoid vulnerabilities. If someone can inject shellcode into it and pop a shell, they can usually access things you didn't intend.

Webserver misconfiguration can also be a problem, if you allow things like directory traversal and indexes; these can be used by attackers to "trick" the web server into serving up things you didn't plan on.

If you allow users to upload files, be careful as well; they might upload scripts you'll accidentally run, or upload malware which you'd then be serving.

Sometimes functionality you intend on can be abused too; forced browsing (as with wordpress trackbacks) and email sending can both be abused by attackers to hide their activities behind you.

Some things you can do are:

Use a separate user for your web application. In IIS, set the application pool user in the CGI settings, and the user used for anonymous authentication in the authentication settings. Make a specific user for this and limit their privileges to the minimum necessary.

Try to think of all the things that can be done with any application you implement and make available, rather than just the things you intended it to do.

I know anything connected to port 80 will be prone to attacks, and I can think lots of ways in which it can be done, but what worries me is not what I know, but what I don't know, so my question rather is: "what else can be attacked (outside port 80)?"
–
george bMar 26 '14 at 1:24

1

It isn't about ports. Individual ports are not particularly special; it's the services that are running. Focusing on ports alone misses the point.
–
Falcon MomotMar 26 '14 at 1:49

In short: what I want is a server which can only be accessible from port 80... so, how do I completely isolate the OS from the outside world, making my web server the only and unique way to get in and out??? is such a thing even possible???
–
george bMar 26 '14 at 1:55

1

No, it isn't. Ignore the ideas you have about port 80; it isn't as though data being addressed to that port guarantees anything about it or about how it is processed. And, the data that comes in gets processed by the server in ways that must involve the OS at several levels.
–
Falcon MomotMar 26 '14 at 1:56

So... you are saying it is impossible to block the back doors, what ever they are?
–
george bMar 26 '14 at 2:02

Right now my main concern is privacy, so I may ignore advice on other
security issues.

You are exposing at the very least your IP address, which can be mapped to a specific location, so that sounds like minus points for privacy.

The firewall's purpose is to limit access to services. It does not prevent "bad" traffic on port 80 which then installs malware on your server or takes advantage of some unpatched vulnerability. Someone could install a malicious script that can read system information, including files, system info, etc. so this can also be a privacy concern. The value of private data on your server factors into your specific risk.

A basic firewall may not prevent DDoS attacks as well, it will not block against attacks on specific web apps, on your web server, etc. Security needs to be applied in layers, the firewall should not be the only security protection used. Good coding and patching count for security.

...the only possible way to have access the files and folders on that
computer is through the web server via port 80, which means: if the
web server allows no unauthorized access I can then trust my files
will remain private.

This part assumes that there is no OS vulnerability or application vulnerability which can provide unauthorized privileges, privilege escalation, bypass, etc. They may not be able to connect with SMB, FTP, etc. but its possible to take advantage of some vulnerability and gain access to files (remote shell, etc.)

Traffic on port 80 doesn't worry me, I know it is the first place where the bad guys will strike, so I am prepared for that, what worries me are the back doors, OS vulnerabilities mainly, but you don't explain how to avoid them, is there any way to fully isolate the server so what ever happens the only possible gateway is port 80?????
–
george bMar 26 '14 at 1:44

what about running virtualbox on your windows machine, and in a new virtual machine you run something more secure like debian linux, and run apache web server on that ? then you can use the iptables on linux and the general security that comes with linux.

or simply install linux directly on the host. I am sorry but if you want a secure system, running a webserver on windows 7 seems like it could get you in trouble.

also, having a gateway device (a firewall/router) on the edge of your network would help a lot.

also, like others have mentioned, does not matter how many firewalls, and how few holes you have in your outer defences. if your webserver, or own scripts have faults, it all does not matter.